Protecting the Apache web server from a slow-reading attack, as well as some other targeted attacks
Greetings.
I want to share my experience in protecting the Apache web server from a slow read attack. The fact that this attack can be read here (English), as well as here (Russian).
The considered method allows you to secure the server using the extensions mod_evasive and mod_security, and most importantly - it takes less than half an hour to implement. Setup was made on Ubuntu version 12.04 + Apache 2.2. Setting up for other versions of the web server, as well as for other operating systems, differs mainly in the installation features of software packages and, in fact, in the versions of the installed programs and modules for them.
Package installation
Since the protected server is installed on Ubuntu, the installation of the necessary modules for Apache is performed with one command:
The mod_evasive package will provide protection against DDOS application-level flood attacks , while mod_security will protect against targeted attacks, including slow-reading attacks.
')
At its core, mod_security is an open source software firewall that protects a webserver, and is being developed by Trustwave SpiderLabs .
Config mod_evasive
For the module to work, you will need a folder to save logs with rights to write Apache (it is assumed that the web server is started from the user www-data):
Create a file with settings:
Email must be replaced with the address of the recipient of information about the detected attack (to send letters, you need sendmail / postfix ).
This completes the mod_evasive setting.
Config mod_security
Since mod_security is a firewall, it needs a set of rules to work.
You can download the latest version of the rules from the SourceForge page. In addition, it is possible to configure the automatic update of the rules, it is described in more detail here .
In the downloaded archive you will find several folders. We are interested in the basic rules that are in the base_rules folder.
Create a folder for the rules, copy them from the downloaded from SourceForge and the unpacked file.
Create a configuration file for mod_security with the following contents:
This config will connect the rules we have just copied, and in addition, it will set a limit on the number of threads for each individual IP that may be in SERVER_BUSY_WRITE mode, which will prevent the possibility of performing attacks like Slow Loris / SlowHttp.
For the 32-bit version of Ubuntu, the configuration ends here.
In x64, there is a modsecurity bug related to the difference in paths to libraries, due to which libxml is not connected. To fix the first thing you need to determine where your libxml2.so.2 library is located:
Make sure the modules are connected:
and restart Apache to use configs:
Testing
For testing, use the slowhttptest utility. You can read about its setup and installation on the pages of the project, so let's get straight to the application:
If you believe the output of the program, then at the fifth second the server becomes unavailable:
But what I wrote in the Apache logs:
Thus, the server is no longer subject to the attack of slow reading and temporarily blocks the IP address of the users making the attack.
The main advantages of this method of protection are: simplicity and speed of setup, use of OpenSource solutions.
The weak point can be a distributed attack made from many different IP addresses.
I want to share my experience in protecting the Apache web server from a slow read attack. The fact that this attack can be read here (English), as well as here (Russian).
The considered method allows you to secure the server using the extensions mod_evasive and mod_security, and most importantly - it takes less than half an hour to implement. Setup was made on Ubuntu version 12.04 + Apache 2.2. Setting up for other versions of the web server, as well as for other operating systems, differs mainly in the installation features of software packages and, in fact, in the versions of the installed programs and modules for them.
Package installation
Since the protected server is installed on Ubuntu, the installation of the necessary modules for Apache is performed with one command:
sudo apt-get install libapache2-mod-evasive libapache-mod-security
The mod_evasive package will provide protection against DDOS application-level flood attacks , while mod_security will protect against targeted attacks, including slow-reading attacks.
')
At its core, mod_security is an open source software firewall that protects a webserver, and is being developed by Trustwave SpiderLabs .
Config mod_evasive
For the module to work, you will need a folder to save logs with rights to write Apache (it is assumed that the web server is started from the user www-data):
sudo mkdir /var/log/mod_evasive
sudo chown www-data:www-data /var/log/mod_evasive/
Create a file with settings:
sudo nano /etc/apache2/conf.d/modevasive
<ifmodule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 90
DOSLogDir /var/log/mod_evasive
DOSEmailNotify EMAIL@DOMAIN.com
DOSWhitelist 127.0.0.1
</ifmodule>Email must be replaced with the address of the recipient of information about the detected attack (to send letters, you need sendmail / postfix ).
This completes the mod_evasive setting.
Config mod_security
Since mod_security is a firewall, it needs a set of rules to work.
You can download the latest version of the rules from the SourceForge page. In addition, it is possible to configure the automatic update of the rules, it is described in more detail here .
In the downloaded archive you will find several folders. We are interested in the basic rules that are in the base_rules folder.
Create a folder for the rules, copy them from the downloaded from SourceForge and the unpacked file.
sudo mkdir /etc/apache2/mod_security_rules
sudo mv base_rules/* /etc/apache2/mod_security_rules
sudo chown -R root:root /etc/apache2/mod_security_rulesCreate a configuration file for mod_security with the following contents:
sudo nano /etc/apache2/conf.d/modsecurity
<ifmodule mod_security2.c>
Include mod_security_rules/*.conf
SecWriteStateLimit 100
</ifmodule>This config will connect the rules we have just copied, and in addition, it will set a limit on the number of threads for each individual IP that may be in SERVER_BUSY_WRITE mode, which will prevent the possibility of performing attacks like Slow Loris / SlowHttp.
For the 32-bit version of Ubuntu, the configuration ends here.
In x64, there is a modsecurity bug related to the difference in paths to libraries, due to which libxml is not connected. To fix the first thing you need to determine where your libxml2.so.2 library is located:
locate libxml2.so.2Make sure the modules are connected:
sudo a2enmod mod-evasive
sudo a2enmod mod-securityand restart Apache to use configs:
service apache2 restartTesting
For testing, use the slowhttptest utility. You can read about its setup and installation on the pages of the project, so let's get straight to the application:
slowhttptest -c 65539 -B -g -o my_server_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u DOMAIN.COM -x 10 -p 3If you believe the output of the program, then at the fifth second the server becomes unavailable:
Sat Jun 2 16:41:37 2012:slow HTTP test status on 5th second:
initializing: 0
pending: 564
connected: 217
error: 0
closed: 0
service available: NOBut what I wrote in the Apache logs:
tail /var/log/apache2/error.log
[Sat Jun 02 16:41:38 2012] [warn] ModSecurity: Access denied with code 400. Too many threads [101] of 100 allowed in WRITE state from xxx.xxx.xxx.xxx - Possible DoS Consumption Attack [Rejected]Thus, the server is no longer subject to the attack of slow reading and temporarily blocks the IP address of the users making the attack.
The main advantages of this method of protection are: simplicity and speed of setup, use of OpenSource solutions.
The weak point can be a distributed attack made from many different IP addresses.
Source: https://habr.com/ru/post/145215/
All Articles